Set Maximum Number of Invalid Password Attempts

Locate the setting in the Web server’s web.config file for two-tier configuration or the Application server’s web.config file for three-tier configuration. These settings are in the <membership> section.

maxInvalidPasswordAttempts=“9999” passwordAttemptWindow=“1”

Set the number of allowed attempts, the amount of times the user can enter their password incorrectly in a certain amount of time before the account becomes locked.

Set the number of minutes, for the number of attempts to happen. For example, if you enter the wrong password within a 10 minutes window, you are locked out.

NOTE: Based on the default settings, a user has to enter their password 9999 time in one minute before being locked out.